Lares
released new research highlighting the Top 5 CISO Findings encountered
by the firm's consultants over hundreds of client engagements in 2022.
A virtual Chief Information Officer (vCISO) serves as an external
security consultant for small and midsized companies that lack their own
internal CISO. Over the past year, the Lares vCISO Team uncovered
several common trends while assisting clients with IT risk assessments,
configuration reviews, and security program management. According to
Lares research, the most commonly avoidable mistakes encountered in
vCISO engagements included a lack of asset management results;
vulnerabilities that are not found or patched quickly enough; blind
spots due to improper logging, monitoring, and management; rampant
insecure configurations; and minimal knowledge of how data flows through
applications, systems, and storage.
"To properly defend their organizations, security managers need to be
aware of the most prevalent issues and how to mitigate them," said Andrew Hay,
Chief Operating Officer of Lares. "These issues can often lead to
damaging data breaches or other malicious activities if left
unaddressed."
Key Takeaways:
Lack of Asset Management Causes Serious Consequences for Businesses:
Asset management systems identify and track information about an
organization's physical and electronic assets. This can include physical
assets such as equipment, buildings, and properties, and electronic
assets such as computers and data. Other targets include intangible
assets such as intellectual property and goodwill.
Assets that have not been properly managed or protected can lead to
thefts or financial losses, along with higher insurance costs or even
policy cancellations. Related legal problems may include copyright
infringement.
Vulnerabilities Are Not Effectively Discovered or Patched Quickly Enough:
One common mistake involves not scanning all systems for
vulnerabilities, including the network, servers, workstations, and
applications. Another concern involves not setting clear priorities for
fixing those vulnerabilities. A related problem is not patching
vulnerabilities in a timely way, which can open the backdoor to
cyberattacks for months or even years to come.
Blind Spots Due to a Lack of Properly Defined Logging, Monitoring, and Management:
Too many organizations lack full visibility into their IT assets and
software systems because they do not collect logs to track when events
happened within their networks, what happened, and who was involved.
This lack of using logs can lead to damaging shortcomings for regulatory
compliance and a heightened risk of security breaches.
Default and Insecure Configurations Still Run Rampant Throughout Organizations:
Default configurations are dangerous because they are well-known by
attackers and thus easy to exploit. In addition, default configurations
are often not optimized for security, such as in cases in which
unencrypted communications are allowed.
Minimal Knowledge of How Data Flows Through Applications, Systems, and Storage:
It is critical to know where data comes from, where it goes, and what
processing is done along the way. Getting a handle on these data flows
can enable organizations to quickly spot anomalous security risks and
implement mitigation measures. Common methods for documenting data flow
information include Data Flow Diagrams (DFDs), swim-lane diagrams,
activity diagrams, and process maps.
The Lares "Top 5 CISO Findings in 2022" research paper is available for download here: https://www.lares.com/lares-top-5-ciso-findings-report/ .